Debian-LTS alert DLA-226-1 (ntfs-3g)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 226-1] ntfs-3g security update | |
| Date: | Mon, 25 May 2015 20:02:01 +0200 (CEST) | |
| Message-ID: | <alpine.DEB.2.02.1505252000520.13524@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : ntfs-3g Version : 1:2010.3.6-1+deb6u1 CVE ID : CVE-2015-3202 Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing mount or umount with elevated privileges. A local user can take advantage of this flaw to overwrite arbitrary files and gain elevated privileges by accessing debugging features via the environment that would not normally be safe for unprivileged users. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJVY2OZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHAbQP/21JeaUs6KJbnZSWgaGsNKq8 2P+IlYG0FGLAenDg0/lIwEFrDrkLEz4bsWo8FZfKoS3fGWa1aqyy5GZjSdVxSRIj rLynUUh2W+pd9BuKYDiX5GRoJSgR46dueKpY1htNIFQ68IijQk3QcY2sHRqgey4r wRcZKt1OyKzy5xg8LpIaeA/Qv6+2AtrQOgPgMQu+oqTF8Vno0qTBgMXGm+ryLOdn 3Qm/ec6fopz9V6XqZ24B8uYsrmi2vr3qiAlMC1AaKVsXBgKexNUpixQ0jfb+OtFK PMD0pK+AXl9OdJlhYT6FPI8iJZNUMqhcO5WmlEDN9x/7ysvr2Q4f+V3GROqcMGTV AwlwALIPfOHRcUlFDlRV3sRNvh+WdD1ByyNDW5x37dCS3NB/FOdRu7Ioc5CRR4HB fL2J7X2XSW8ABRaViocYZWGXABuSi0NsbwHroi7nASFQ5krCzek1a751hOvoh4Sd s+ckJqJ+1wBGkLwy/n/6S5b7a2ALKqzqHpUBrA+zHL65cUBiniXqKZWGq2YsX0mG E9PkUOoAkY/I9UWbqE8uMcijA6vDu9AL+aB5muiSb2tmYVNfGYWTNY2+BN8M3ag5 l/z4i/ep9hLbu38cnDo0l2bxAnIVyTwuQ2sWO7ZhDpM204a4tcaDy8ZlBPL75EtW ldwjiSrvdEx2DrS+J6em =iFMk -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-lts-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/alpine.DEB.2.02.1505252000520.13...